b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                 OFFICE OF THE\n     CHIEF INFORMATION OFFICER\n\n             Management Attention Is Needed\n                          To Assure Adequate\n        Computer Incident Response Capability\n\n  Final Inspection Report No. OSE-16522/September 2004\n\n\n\n\n                           PUBLIC\n                           RELEASE\n\n\n\n                            Office of Systems Evaluation\n\n\x0c\x0cU.S. Department of Commerce                                                                Final Inspection Report OSE-16522\n\nOffice Of Inspector General                                                                                    September 2004\n\n\n\n\n\n                                                          CONTENTS\n\n\nEXECUTIVE SUMMARY ..............................................................................................................i\n\n\nBACKGROUND ............................................................................................................................ 1\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY ........................................................................ 4\n\n\nFINDINGS AND RECOMMENDATIONS................................................................................... 5\n\n\nI.\t The Department\xe2\x80\x99s Distributed Incident Response Structure Is Appropriate, but the \n\n    Planned Coordination Mechanism Has Not Been Implemented .............................................. 5\n\n    A. A Distributed Structure Suits the Department\xe2\x80\x99s Decentralized Organization .................... 5\n\n    B. \tThe Federation of CIRTs Has Not Been Implemented ....................................................... 6\n\n\nII. Some Commerce Operating Units Lack Adequate Incident Response Procedures and Most \n\n    Lack the Required Reviews and Approvals .............................................................................. 9\n\n\nIII. Operating Units\xe2\x80\x99 Incident Reporting Is Incomplete and Inconsistent .................................... 12\n\n\nIV. System Administrators and IT Security Officers Must Improve Their Intrusion Detection \n\n    Approaches and Obtain Additional Specialized Tools and Training...................................... 16\n\n    A. Intrusion Detection Approach Is Inadequate .................................................................... 16\n\n    B. Additional Specialized Training Is Needed ...................................................................... 16\n\n\nAttachment: Department CIO's Response\n\n\x0cU.S. Department of Commerce                                                      Final Inspection Report OSE-16522\n\nOffice Of Inspector General                                                                         September 2004\n\n\n\n\n                                          EXECUTIVE SUMMARY \n\n\nThe Federal Information Security Management Act (FISMA) 1 requires agencies to review their\ninformation security program annually and Offices of Inspector General (OIGs) to conduct\nindependent evaluations of those programs annually as well. Agencies are required by FISMA\nto implement procedures for detecting, responding to, and reporting computer security incidents. 2\nPursuant to FISMA, we evaluated the Department\xe2\x80\x99s computer incident response capability with a\nfocus on the organizational structure, roles and responsibilities, and operating unit procedures for\nincident identification, analysis, response, and reporting.\n\nThe Department\xe2\x80\x99s information security policy establishes requirements for computer incident\nresponse as part of the overall information security program administered by the Department\xe2\x80\x99s\nOffice of the Chief Information Officer (CIO). The policy requires all operating units to have a\ncomputer incident response capability (CIRC), defined as a set of formal mechanisms and\nprocedures that allows an organization to react quickly, decisively, and consistently when an\nincident occurs. Any operating unit personnel may perform CIRC duties on an as-needed basis.\nAn operating unit may also establish its own computer incident response team (CIRT), a formal\ngroup that performs intrusion monitoring and incident handling and reporting on a full- time\nbasis. An operating unit that does not have its own CIRT receives support from the Department\nof Commerce CIRT (DOC CIRT), which resides in the Office of the Secretary.\n\nOur evaluation found that the Department\xe2\x80\x99s distributed incident response structure is appropriate\nfor the decentralized organization of the Department. However, improvements are needed to\nallow the Department CIO to obtain a Commerce-wide view of vulnerabilities and threats and\nensure efficient and effective incident response throughout Commerce. Issues we identified\ninclude (1) the lack of a centralized entity to promote information sharing and consistency in\nresponse processes across the decentralized structure, (2) the absence of adequate incident\nresponse procedures in several units, (3) incomplete and inconsistent reporting of incidents by\nthe operating units, and (4) the need for system administrators and IT security officers to\nimprove their intrusion detection approaches and obtain additional specialized tools and training.\nOur specific findings are as follows.\n\nThe Department\xe2\x80\x99s Distributed Incident Response Structure Is Appropriate, but the\nPlanned Coordination Mechanism Has Not Been Implemented. To support Commerce\xe2\x80\x99s\ndecentralized and diverse organization, many of its computer incident response teams are\norganizationally part of the operating units as opposed to being centralized in the Department.\nWhile this permits these teams to have valuable technical and organizational knowledge of the\nunits they serve, it also requires effective communication and coordination among the teams.\n\n\n\n\n1\n Title III, E-Government Act of 2002 (P.L. 107-347).\n\n2\n  An incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or \n\nstandard security practices. The Department\xe2\x80\x99s definition of a reportable incident is presented on page 14.\n\n\n\n                                                            i\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-16522\nOffice Of Inspector General                                                                      September 2004\n\n\nIndeed, NIST guidance 3 on computer security incident handling points out that distributed teams\nshould be part of a single centralized entity so that the incident response process is consistent\nacross the organization and information is shared among teams. The Department CIO intended\nto establish what he termed a \xe2\x80\x9cCIRT federation\xe2\x80\x9d to achieve coordination and communication by\nJuly 2002. To date, ho wever, the federation has not been implemented. Thus, coordination and\ncommunication regarding incident prevention and response do not occur systematically, and the\nDepartment CIO\xe2\x80\x99s ability to have an accurate Commerce-wide view of incidents and capabilities\nis hampered. (See page 5.)\n\nSome Operating Units Lack Adequate Incident Response Procedures and Most Lack the\nRequired Approvals. Having written incident response procedures is one of the most important\ntools for successfully handling incidents. The Department\xe2\x80\x99s policy requires all operating units to\nhave formal response procedures and to submit them to the operating unit\xe2\x80\x99s CIO and the\nDepartment for review and approval. Despite the importance of procedures, 4 of the 10\noperating units we reviewed, including the Office of the Secretary which houses DOC CIRT, do\nnot have procedures that are detailed and complete enough to support effective incident response,\n6 of the 10 units did not receive operating unit CIO approval for their procedures, and only 1 of\nthe 10 units received approval by the Department CIO\xe2\x80\x99s office. The lack of adequate procedures\nis particularly troubling for DOC CIRT since it is the incident handling organization for the\noperating units without a formal CIRT. (See page 9.)\n\nOperating Units\xe2\x80\x99 Incident Reporting Is Incomplete and Inconsistent. Reporting of incidents\nto the Federal Computer Incident Response Capability (FedCIRC) is required both by FISMA\nand Department policy, and analysis of reported incident data is an important way for the\nDepartment to gain a better understanding of its threats and vulnerabilities. However, few\ndetected incidents are currently being reported. We found that one reason for inadequate\nreporting is that some operating units are unfamiliar with the Department\xe2\x80\x99s reporting\nrequirements, and the Department has not enforced them. (See page 12.)\n\nSystem Administrators and IT Security Officers Must Improve Their Intrusion Detection\nApproaches and Obtain Additional Specialized Tools and Training. Although incident\ndetection can help prevent incidents or mitigate their effects, the necessary detection steps\nfrequently are not taken. Incident prevention and detection can be facilitated by installing\nintrusion detection systems and reviewing log information on a regular basis. Our review\nidentified weaknesses in the frequency and approach used to review log information from\nnetwork devices. We found instances where log information was not reviewed, infrequently\nreviewed, or reviewed only on a monthly basis. We also found instances where large quantities\nof information were examined using visual inspection as opposed to automated tools.\nFurthermore, we found that most operating units identify few incidents, a consequence, in part,\nof poor incident detection techniques. Although some specialized security training is provided to\nsystem administrators, network administrators, IT security officers, and IT security staff who are\nresponsible for responding to incidents and reviewing audit log information from network\n3\n NIST\xe2\x80\x99s responsibilities include the development of technical, physical, administrative, and management standards\nand guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer\nsystems.\n\n\n\n                                                         ii\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16522\nOffice Of Inspector General                                                           September 2004\n\n\ndevices, this training is not systematic and does not ensure that staff members have the requisite\nknowledge and skills. (See page 16.)\n\nWe made numerous recommendations to the Department CIO including to define and implement\nan approach for achieving coordination and communication among the distributed incident\nresponse teams either through a CIRT federation or some other means, as well as for improving\nincident response procedures, reporting, and detection. (See pages 8, 11, 15, and 17.)\n\n                                                \xe2\x80\xa6\n\nIn his response to our draft report, the Department CIO concurred with our findings and\nrecommendations, and described the corrective actions planned or underway. The response\nstates that an approach for achieving coordination and communication among the Department\xe2\x80\x99s\ndistributed incident response teams will be implemented by June 2005. It also states that model\nincident response procedures will be developed and the IT security policy and procedures will be\nrevised to ensure prompt notification of the DOC CIRT and FedCIRC when incidents occur.\nThe response further states that the policy will be revised and model procedures developed to\naddress handling of network device log information, and appropriate tools to support this activity\nwill be acquired. Training on the new policy and procedures will be provided for IT security\nofficers and CIRT personnel, as appropriate. The implementation of these actions will be\ncompleted in FY 2005, and the Department\xe2\x80\x99s annual IT security compliance review program will\nbe used to monitor compliance throughout Commerce. These actions are responsive to our\nrecommendations and, when implemented, should improve incident detection and response. The\nCIO\xe2\x80\x99s complete response is included as an attachment to this report.\n\n\n\n\n                                                iii\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-16522\n\nOffice Of Inspector General                                                                       September 2004\n\n\n\n                                               BACKGROUND\n\n\nInformation security threats have become more numerous and diverse, as well as more damaging\nand disruptive. New types of incidents are continually emerging, and not all incidents can be\nprevented. An effective incident response capability is essential for rapidly detecting incidents,\nminimizing losses, and restoring services.\n\nThe Federal Information Security Management Act (FISMA) 1 requires agencies to review their\ninformation security program annually and Offices of Inspector General (OIGs) to conduct\nindependent evaluations of those programs annually as well. Agencies are required by FISMA\nto implement procedures for detecting, responding to, and reporting computer security incidents.\nPursuant to FISMA, we evaluated the Department\xe2\x80\x99s computer incident response capability.\n\nNational Institute of Standards and Technology (NIST) Special Publication 800-61, Computer\nSecurity Incident Handling Guide, 2 points out that a computer security incident was previously\nthought of as a security-related adverse event in which there was a loss of data confidentiality,\ndisruption of data or system integrity, or disruption or denial of availability, but recently new\ntypes of computer security incidents have emerged, necessitating an expanded definition of an\nincident. The guide defines an incident as a violation or imminent threat of violation of\ncomputer security policies, acceptable use policies, or standard security practices. The guide\nnotes that the definition of a computer security incident has evolved.\n\nExamples of incidents include (1) denial of service attack, whic h prevents or impairs the\nauthorized use of networks, systems, or applications by exhausting resources; (2) introduction of\nmalicious code, which could be a virus, worm, Trojan horse, or other code-based entity that\ninfects a host; (3) unauthorized access, in which logical or physical access is obtained without\npermission to a network, system, application, data, or other resource; and (4) inappropriate\nusage, which is a violation of acceptable computing use policies.\n\nSince even strong security controls may not prevent all incidents, an effective incident response\ncapability is imperative. NIST guidance identifies the benefits of having an incident response\ncapability as providing the ability to:\n\n\xe2\x80\xa2\t Respond to incidents systematically so that the appropriate steps are taken,\n\n\xe2\x80\xa2\t Help personnel to recover quickly and efficiently from security incidents, minimizing loss or\n   theft of information and disruption of services,\n\n\n1\n  Title III, E-Government Act of 2002 (P.L. 107-347).\n2\n  NIST\xe2\x80\x99s responsibilities include the development of technical, physical, administrative, and management standards\nand guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer\nsystems. NIST Special Publication 800-61, Computer Security Incident Handling Guide, is intended to assist\norganizations in mitigating the risks from information security incidents by providing practical guidance on\nresponding to incidents effectively and efficiently.\n\n\n\n\n                                                         1\n\x0cU.S. Department of Commerce                                                    Final Inspection Report OSE-16522\nOffice Of Inspector General                                                                        September 2004\n\n\n\xe2\x80\xa2\t Use information gained during incident handling to better prepare for handling future\n   incidents and to provide stronger protection for systems and data, and\n\n\xe2\x80\xa2\t Deal properly with legal issues that may arise during incidents.\n\nDepartmental Policy on Computer Incident Response\n\nThe Department\xe2\x80\x99s information security policy entitled, IT Security Program Policy and\nMinimum Implementation Standards, establishes requirements for computer incident response as\npart of the overall information security program, which is administered by the Department\xe2\x80\x99s\nOffice of the Chief Information Officer (CIO). The incident response portion of the policy\ncovers such topics as:\n\n\xe2\x80\xa2\t   Definition of a reportable incident,\n\xe2\x80\xa2\t   Responsibility for developing the computer incident response capability (CIRC),\n\xe2\x80\xa2\t   Responsibility for approving and updating operating unit CIRC policies and procedures,\n\xe2\x80\xa2\t   Information to be provided to the Department on CIRC operating procedures,\n\xe2\x80\xa2\t   Actions required for monitoring and detecting incidents, and\n\xe2\x80\xa2\t   Requirements for reporting incidents to the Federal Computer Incident Response Capability\n     (FedCIRC)3 .\n\nThe policy requires all operating units to have a CIRC, defined as a set of formal mechanisms\nand procedures that allows an organization to react quickly, decisively, and consistently when an\nincident occurs. Any operating unit personnel may perform CIRC duties on an as-needed basis.\nIn addition, an operating unit may establish its own computer incident response team (CIRT), a\nformal group that performs intrusion monitoring and incident handling and reporting on a full-\ntime basis. An operating unit that does not have its own CIRT receives support from the\nDepartment of Commerce CIRT (DOC CIRT), which resides in the Office of the Secretary.\nSuch units must report incidents to DOC CIRT, which then notifies FedCIRC. Formally\nestablished operating unit CIRTs must report incidents directly to FedCIRC and send an\ninformation copy of the report to DOC CIRT. According to the policy, the required interface and\nexchange of information among CIRTs is called the DOC federated CIRT structure.\n\nThe policy identifies two positions in the Department CIO\xe2\x80\x99s Office that have significant\nresponsibilities for establishing and maintaining an agency-wide computer incident response\nprogram. The Department\xe2\x80\x99s IT security program manager is responsible for issuing the policy\nand guidance that establish the framework for the Department-wide information security\nprogram, overseeing the program, and approving associated policy. The Department\xe2\x80\x99s critical\ninfrastructure program manager is responsible for acting as the central point of contact for\nincident handling in concert with the Office of Security and OIG, ensuring the reporting of\nincidents to FedCIRC, and developing the Department\xe2\x80\x99s federated computer incident response\nprogram. In the operating units, the IT security officers serve as their units\xe2\x80\x99 focal point for\nhandling all incidents and reporting. The IT security officers are also responsible for\n\n3\n FedCIRC is the federal civilian agencies\xe2\x80\x99 focal point for computer security incident reporting, prevention, and\nresponse. It is located in the Department of Homeland Security.\n\n\n                                                          2\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-16522\nOffice Of Inspector General                                                           September 2004\n\n\ncoordinating with the Department\xe2\x80\x99s IT security program manager, critical infrastructure program\nmanager, Office of Security, and OIG, as appropriate, concerning incidents, potential threats, and\nother concerns.\n\nThe Department\xe2\x80\x99s information security policy requires each operating unit IT security officer to\ndevelop standard operating policies and procedures for computer incident response. These\npolicies and procedures are to be approved by the operating unit CIO and then submitted to the\nDOC critical infrastructure program manager for review and approval for integration into\npolicies and procedures for the DOC federated CIRT. The Department\xe2\x80\x99s critical infrastructure\nprogram manager, in consultation with the IT security program manager, is to develop and\napprove all policies and procedures for operation of DOC CIRT and the DOC federation of\nCIRTs.\n\nAs noted previously, DOC CIRT supports those operating units that have not established a\nformal CIRT. Currently the following units are supported: Office of the Secretary (OS),\nInternational Trade Administration (ITA), Minority Business Development Agency (MBDA),\nBureau of Industry and Security (BIS), Economics and Statistics Administration (ESA),\nEconomic Development Administration (EDA), Technology Administration (TA), and OIG.\n\nUnits that have established their own CIRTs include: National Institute of Standards and\nTechnology (NIST), Bureau of the Census, Bureau of Economic Analysis (BEA), National\nOceanic and Atmospheric Administration (NOAA), National Technical Information Service\n(NTIS), National Telecommunications and Information Administration (NTIA), and United\nStates Patent and Trademark Office (USPTO).\n\n\n\n\n                                                3\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16522\n\nOffice Of Inspector General                                                            September 2004\n\n\n\n                      OBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe purpose of this review was to evaluate the Department\xe2\x80\x99s computer incident response\ncapability with a focus on the organizational structure, roles and responsibilities of DOC CIRT\nand federated CIRT, and operating unit policies and procedures for incident identification,\nanalysis, handling, and reporting.\n\nTo satisfy our objective, we reviewed security incident response policies and procedures and\nincident reports for 10 operating units, as well as reporting of incidents by the operating units to\nDOC CIRT and FedCIRC. From the Department CIO\xe2\x80\x99s office we interviewed the director of the\nOffice of Information Technology Security, Infrastructure, and Technology; IT security program\nmanager; critical infrastructure program manager; and staff of DOC CIRT. We also interviewed\nthe IT security officers and CIRT staff in the following operating units: BIS, Census, EDA, ITA,\nMBDA, NIST, NTIS, NOAA, and USPTO.\n\nOur criteria included FISMA; NIST Special Publication 800-61, Computer Security Incident\nHandling Guide; DOC IT Security Program Policy and Minimum Implementation Standards;\nand Carnegie Mellon University/Software Engineering Institute, Handbook for Computer\nSecurity Incident Response Teams.\n\nWe conducted this evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections, March 1993, issued by the President\xe2\x80\x99s\nCouncil on Integrity and Efficiency. We performed our fieldwork from November 2003 to\nMarch 2004.\n\n\n\n\n                                                 4\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-16522\n\nOffice Of Inspector General                                                             September 2004\n\n\n\n                           FINDINGS AND RECOMMENDATIONS\n\n\nI. The Department\xe2\x80\x99s Distributed Incident Response Structure Is Appropriate, but the\n   Planned Coordination Mechanism Has Not Been Implemented\n\nTo support Commerce\xe2\x80\x99s decentralized and diverse organization, many of its computer incident\nresponse teams are organizationally part of the operating units. While this permits these teams to\nhave valuable technical and organizational knowledge of the units they serve, it also requires\neffective communication and coordination among the teams. To achieve communication and\ncoordination, the Department CIO intended to establish what he termed a \xe2\x80\x9cCIRT federation\xe2\x80\x9d by\nJuly 2002. To date, ho wever, a CIRT federation has not been established. Thus, coordination\nand communication rega rding security incident prevention and response do not occur on a\nsystematic basis, and the Department CIO\xe2\x80\x99s ability to have an accurate Commerce-wide view of\nincidents is hampered.\n\nA. A Distributed Structure Suits the Department\xe2\x80\x99s Decentralized Organization\n\nOne of the initial steps in establishing an incident response capability is selecting the appropriate\norganizational structure. The Department has a distributed incident response structure. A\ndistributed structure consists of multiple incident response teams located through out an\norganization, each being responsible for computer incidents within their area or physical/logical\nsegment of the organization. Currently, all major Commerce operating units and some small\nunits have their own incident response teams, as permitted by Department policy. Consistent\nwith the policy, DOC CIRT has been established to support the Office of the Secretary, as well\nas the remainder of the units that do not have their own incident response teams. One of the\nactivities performed by the DOC CIRT has been to communicate alerts on security issues and\nvulnerabilities received from FedCIRC and other sources to the operating units\xe2\x80\x99 IT security staff.\n\nThe Department is comprised of diverse operating units, each with different missions, network\nstructures, system architectures, applications, intrusion monitoring technologies, and\norganizational issues. As NIST\xe2\x80\x99s Computer Incident Handling Guide observes, accurate analysis\nand prioritization of incidents are dependent on specific knowledge of the organization\xe2\x80\x99s\nenvironment. Because of the significant differences among Commerce\xe2\x80\x99s operating units, a\ndistributed incident response structure positions each CIRT or CIRC to have specific technical\nand organizational knowledge of the unit it serves. According to NIST guidance, a distributed\nincident response structure is effective for large organizations and for organizations with major\ncomputing resources at distant locations, both of which are characteristics of Commerce. NIST\nguidance points out that distributed teams should be part of a single centralized entity so that the\nincident response process is consistent across the organization and information is shared among\nteams. This type of structure requires effective communication among the incident response\nteams and consistent practices for effective incident handling. Information sharing is particularly\nimportant because multiple teams may see components of the same incident or may handle\nsimilar incidents.\n\n\n\n\n                                                  5\n\x0cU.S. Department of Commerce                                                          Final Inspection Report OSE-16522\nOffice Of Inspector General                                                                              September 2004\n\n\nB. The Federation of CIRTs Has Not Been Implemented\n\nTo promote coordination and communication, the Department CIO made a commitment to\nestablish a federated computer incident response capability by July 2002, and in a summary of\naccomplishments accompanying its FY 2003 FISMA report stated, \xe2\x80\x9cThe Department\xe2\x80\x99s computer\nincident response capability was extended by the establishment of a Federated Computer\nIncident Response Capability to ensure integration, innovation, and cooperation in Department-\nwide incident prevention, response, and handling activities.\xe2\x80\x9d The establishment of a federated\ncapability was similarly reported in the Department\xe2\x80\x99s FY 2003 Performance and Accountability\nReport. However, to date, a federated capability has not been implemented. Thus, coordination\nand communication regarding security incident prevention and response do not occur on a\nsystematic basis, and the Department CIO\xe2\x80\x99s ability to have an accurate Commerce-wide view of\nincidents is hampered.\n\nA timeline depicting the events related to implementation of a CIRT federation is presented in\ntable 1. In our March 2001 review of the Department\xe2\x80\x99s information security program, we noted\nthe lack of an incident response capability at some operating units and recommended that all\nunits have this capability. In its August 2001 review of information security within the\nDepartment, the Government Accountability Office 4 (GAO) made a similar recommendation.\nThe Department CIO agreed to implement these recommendations and in an April 2002\nmemorandum to heads of operating units and CIOs, established a target date of July 2002 for the\nfederation of CIRTs to be working together.\n\n\n        Table 1. Timeline of Events Related to CIRT Federation\n\n               Date                                                    Event\n                                OIG report recommending ensuring all operating units have an incident\n        March 2001                                   a\n                                response capability.\n                                GAO report recommending establishment of Department-wide incident\n        August 2001                                  b\n                                response capability.\n                                Department CIO memorandum establishing target date of July 2002 for\n        April 2002\n                                the CIRT federation to be working together and interconnected.\n                                Department\xe2\x80\x99s new information security policy issued defining at a high-\n        January 2003\n                                level DOC CIRT and federated CIRT concept.\n                                Federation focus group formed to define a framework, mission, goals,\n        June 2003\n                                and objectives for CIRT federation.\n        August 2003             Focus group white paper submitted to Department CIO.\n\n        November 2003           Focus group activities suspended by Department CIO.\n        a\n        Office of Inspector General, Additional Focus Needed on Information Technology Security Policy and\n        Oversight, OSE-13573, March 2001, U.S. Department of Commerce.\n        b\n          United States General Accounting Office, Information Security Weaknesses Place Commerce Data and Operations\n        at Serious Risk, August 2001.\n\n\n\n4\n    The Government Accountability Office was formerly called the General Accounting Office.\n\n\n                                                              6\n\x0cU.S. Department of Commerce                                               Final Inspection Report OSE-16522\n\nOffice Of Inspector General                                                                   September 2004\n\n\n\nFollowing the Department CIO\xe2\x80\x99s memorandum, IT security staff from the Department and\noperating units worked together to define the federated incident response capability. Despite\ntheir efforts, minimal progress was made due to significant differences among the operating units\nand the Department in defining the roles, responsibilities, and operating structure for the\nfederated CIRT. In an effort to resolve these differences, the Department CIO created a\nfederation of CIRTs focus group. 5 In August 2003, this group completed a white paper\ncontaining preliminary recommendations entitled, \xe2\x80\x9cFramework for the Commerce Federation of\nComputer Incident Services,\xe2\x80\x9d and submitted it to the Department CIO. The recommendations\naddressed the federation\xe2\x80\x99s operating framework, capabilities, services, and functions and were\ndesigned to achieve the following goals:6\n\n\xe2\x80\xa2\t Create and maintain a Commerce-wide perspective of threats against the Department,\n\n\xe2\x80\xa2\t Improve operating unit incident response capability by enhancing communications\n   concerning attacks and compromises,\n\n\xe2\x80\xa2\t Share informatio n to more efficiently and effectively respond to computer security related\n   incidents,\n\n\xe2\x80\xa2\t Make resources available that would otherwise not be available to separately functioning\n   CIRCs, and\n\n\xe2\x80\xa2\t Continually enhance CIRCs\xe2\x80\x99 expertise to better support their constituencies.\n\nThe white paper stated that a \xe2\x80\x9cfinal draft\xe2\x80\x9d report was targeted for September 30, 2003. \n\nHowever, due to operating unit concerns with the recommendations, the Department CIO did not \n\nissue the report and suspended further focus group activities. \n\n\nWe believe the goals presented in the white paper are sound, and a CIRT federation having roles \n\nand responsibilities designed to achieve them would help the Department CIO attain a \n\nDepartment-wide view of threats and incident response capabilities and promote high quality and \n\nconsistent incident response services throughout Commerce. However, a CIRT federation is not \n\nthe only means to achieve these goals. For example, DOC CIRT could be given the \n\nresponsibility and resources to become the coordinator and focal point for all the CIRTs, with \n\nresponsibility for such functions as obtaining and providing to the CIO the Department-wide \n\nperspective, coordinating the sharing of information and resources, providing guidance and \n\nadvice, and promulgating best practices to operating units.\n\n\nThe Department CIO needs to work with the operating unit CIOs to determine how best to \n\nachieve the goals presented in the white paper\xe2\x80\x94be it through the CIRT federation or some other \n\n\n5\n  The Federation of CIRTs Focus Group includes security staff from the following: Census, EDA, MBDA, NIST, \n\nNOAA, USPTO, and the Departments CIO\xe2\x80\x99s office.\n\n6\n  White Paper, Framework for the Computer Federation of Computer Incident Services (FOCIS), Preliminary \n\nRecommendations of the DOC Federation of Computer Incident Response Teams Focus Group, August 31, 2003.\n\n\n\n\n                                                      7\n\x0cU.S. Department of Commerce                                    Final Inspection Report OSE-16522\nOffice Of Inspector General                                                        September 2004\n\n\nmeans\xe2\x80\x94and ensure that the preferred approach is implemented and functioning effectively in a\ntimely manner.\n\nRecommendation\n\nThe Department CIO should develop a plan and schedule for defining and implementing an\napproach for achieving the goals presented in the CIRT focus group white paper.\n\n\n\n\n                                              8\n\x0cU.S. Department of Commerce                                                Final Inspection Report OSE-16522\nOffice Of Inspector General                                                                    September 2004\n\n\nII.\t Some Commerce Operating Units Lack Adequate Incident Response Procedures and\n     Most Lack the Required Reviews and Approvals\n\nThe Department\xe2\x80\x99s policy requires all operating units to have formal incident response\nprocedures, whether or not they have a CIRT, and to submit these procedures to their operating\nunit CIO and then to the Department CIO\xe2\x80\x99s office for review and approval. The DOC critical\ninfrastructure program manager, in consultation with the DOC IT security program manager, is\nto develop and approve all policies and procedures for operation of DOC CIRT and the CIRT\nfederation. Procedures are needed to aid in the detection of incidents and to guide operating unit\nincident response personnel\xe2\x80\x94system and network administrators and IT security officers\xe2\x80\x94\nduring security incidents. According to Carnegie Mellon University\xe2\x80\x99s Software Engineering\nInstitute, having written incident response procedures is one of the most important tools for\nsuccessfully handling incidents. 7\n\nTable 3 summarizes each operating unit\xe2\x80\x99s status for establishing procedures that are detailed and\ncomplete enough to support effective incident response, obtaining the approval of the unit\xe2\x80\x99s CIO,\nand obtaining Department approval. Four of the 10 operating units we reviewed, including the\nOffice of the Secretary which houses DOC CIRT, lacked procedures that would support effective\nincident response; 6 of the 10 units did not receive operating unit CIO approval for their\nprocedures; and only 1 of the 10 units received approval by the Department CIO\xe2\x80\x99s office.\n\nThe DOC CIRT\xe2\x80\x99s lack of adequate procedures is particularly troubling since it is the incident\nhandling organization for the operating units without a formal CIRT. Although DOC CIRT gave\nus a document entitled, Computer Incident Response Guidelines, it provides policy but contains\nonly minimal procedures. Moreover, developed in 1999, the document has not been updated or\nvalidated against the current information security policy of the Department, which has changed\nconsiderably over the past five years. In addition to DOC CIRT, Census, EDA, and MBDA\neither lacked documented procedures or had inadequate procedures. Census, which operates a\nCIRT, indicated it is developing formalized procedures, but could not provide a date for their\ncompletion. EDA\xe2\x80\x99s directive on incident response purports to provide policies and procedures\nfor incident handling but contains only high- level steps for establishing a capability to do so.\nMBDA provided a draft document entitled, IT Security Emergency Mobilization Plan, dated\nMarch 2003; however, this plan only minimally addresses incident response procedures.\nMBDA\xe2\x80\x99s IT security officer stated that with the departure of its CIO in March 2004, many\napproved IT documents cannot be located.\n\nThe procedures we reviewed for the other operating units varied in detail and completeness.\nSome were highly formalized with flowcharts and checklists that team members are to use to\nhandle an incident, while others had less formal procedures consisting of generic actions to\nperform during an incident.\n\nAlthough Department policy requires review and approval of incident response procedures by\neach unit\xe2\x80\x99s CIO, only EDA, NIST, and NTIS\xe2\x80\x99s procedures have received such approval. Two\n\n7\n Carnegie Mellon University, State of the Practice of Computer Security Incident Response Teams (CSIRTs),\nCMU/SEI -2003-TR-001, October 2003.\n\n\n                                                       9\n\x0cU.S. Department of Commerce                                                         Final Inspection Report OSE-16522\nOffice Of Inspector General                                                                             September 2004\n\n\noperating units, BIS and NOAA, indicated that their incident procedures were approved.\nHowever, BIS could not locate the approval memorandum signed by the BIS CIO or provide any\nother evidence of CIO approval. NOAA\xe2\x80\x99s procedures were approved by its director of IT\nsecurity after NOAA\xe2\x80\x99s CIO delegated approval authority. However, the Department\xe2\x80\x99s security\npolicy does not provide for delegating this authority.\n\n\n      Table 3. Incident Response Procedures and Approvals of Operating\n      Units Reviewed in this Evaluation\n\n                                                   Procedures         Procedures\n                                                  Approved by          Sufficiently        Procedures\n                               Procedures          Operating          Detailed and        Approved by\n           Operating Unit\n                               Documented           Unit CIO            Complete          Department\n                                                         a\n      BIS                         Yes                 No                   Yes                 No\n      Census                       No                  No                  No                  No\n                                                          b\n      EDA                         Yes                 Yes                  No                  No\n      ITA                         Yes                  No                  Yes                 No\n                                     c\n      MBDA                        No                   No                  No                  No\n      NIST                        Yes                 Yes                  Yes                 No\n                                                         d\n      NOAA                        Yes                 No                   Yes                 No\n      NTIS                        Yes                 Yes                  Yes                Yes\n      OS (DOC CIRT)               Yes                  No                  No                  No\n      USPTO                       Yes                  No                  Yes                 No\n       a\n         BIS indicated its procedures had been approved but could not locate the BIS CIO\xe2\x80\x99s approval\n       memorandum or provide other evidence of CIO approval.\n       b\n         EDA did not have a CIO; however, it\xe2\x80\x99s procedures were approved by the deputy CIO and assistant\n       secretary for economic development.\n       c\n         MBDA provided draft procedures.\n       d\n         NOAA\xe2\x80\x99s procedures were approved by NOAA\xe2\x80\x99s Director of IT Security.\n\n\nThere is confusion as to which operating units are required to have their incident response\nprocedures approved by the Department. The Department CIO\xe2\x80\x99s office provided guidance to the\noperating units that is not consistent with its information security policy: although the\nDepartment\xe2\x80\x99s policy requires submission of all operating units\xe2\x80\x99 procedures for review and\napproval, the guidance states that CIRTs established prior to the issuance of the policy in January\n2003 do not have to submit their incident response procedures to the Department for review. If\nthis guidance were followed, the only CIRTs required to submit procedures would be those\ncreated after the policy was issued\xe2\x80\x94the CIRTs established by BEA, NTIA, and NTIS. Since the\nDepartment\xe2\x80\x99s CIO is charged with protecting IT resources throughout the entire Department, we\nbelieve that all operating units should be required to submit their procedures to the Department\nCIO\xe2\x80\x99s office for review and approval.\n\nThe Department\xe2\x80\x99s security policy requires that the critical infrastructure program manager\nreview and approve operating units incident response procedures, but approval of NTIS\xe2\x80\x99s\nprocedures was granted by the IT security program manager. Differences between the security\npolicy and actual practice need to be reconciled.\n\n\n\n\n                                                            10\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-16522\nOffice Of Inspector General                                                           September 2004\n\n\nIn January 2004, NIST published new guidance on incident handling, Special Publication 800\xc2\xad\n61, Computer Security Incident Handling Guide, whose purpose is to assist organizations in\nestablishing incident response capabilities and efficiently and effectively handling incidents. It\naddresses organizing an incident response capability, establishing incident response policies and\nprocedures, and handling incidents from initial preparation through the post-incident lessons\nlearned phase. To address the problems with current operating unit procedures and promote\nquality and consistency throughout Commerce, the Department CIO\xe2\x80\x99s office should use this\nguide as a basis for developing a set of procedures applicable to all operating units and DOC\nCIRT. While operating units sho uld be permitted to tailor those procedures to specific\nrequirements of their organizations, any changes should be reviewed and approved by the CIO of\nthe unit, as well as the Department\xe2\x80\x99s IT security manager and critical infrastructure program\nmanager.\n\nRecommendations\n\nThe Department CIO should ensure the following:\n\n1.\t A plan and schedule is prepared for developing incident response procedures in accordance\n    with NIST Special Publication 800-61 for use by all operating units.\n\n2.\t Any modifications made by an operating unit to the Department\xe2\x80\x99s incident response\n    procedures are reviewed and approved by the unit\xe2\x80\x99s CIO and the Department\xe2\x80\x99s IT security\n    manager and critical infrastructure program manager.\n\n3.\t The Department\xe2\x80\x99s IT security policy reflects the changes to ho w incident response\n    procedures will be developed and reviewed and any associated guidance is consistent with\n    the policy.\n\n\n\n\n                                                11\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16522\nOffice Of Inspector General                                                            September 2004\n\n\nIII. Operating Units\xe2\x80\x99 Incident Reporting Is Incomplete and Inconsistent\n\nUnder FISMA and Department policy, FedCIRC must be notified of computer security incidents,\nand Department policy also requires DOC CIRT to be notified of incidents. Accurate reporting\nand analysis of incident data is an important way for the Department to gain a better\nunderstanding of its threats and vulnerabilities, as well as to identify actions and resources\nneeded to better protect its sensitive information. In its guidance, NIST points out that a study of\nincident characteristics may indicate systemic security weaknesses and threats, as well as\nchanges in incident trends. This data can be used in the risk assessment process and may lead to\nthe selection and implementation of additional controls.\n\nHowever, reporting of computer security incidents by the operating units and DOC CIRT is\nincomplete and inconsistent, as shown in table 2. For operating units that do not have formally\nestablished CIRTs, the Department\xe2\x80\x99s policy requires DOC CIRT to report incidents to FedCIRC;\nunits with formal CIRTs are to report incidents directly to FedCIRC and send a copy of the\ninformation to DOC CIRT. Of the 10 total incidents shown as detected in units without formal\nCIRTs in FY 2003, 8 were reported to DOC CIRT, but only 2 were reported to FedCIRC. Of the\n809 total incidents detected in units with formal CIRTs, only 31 were reported to FedCIRC, with\n679 reported to DOC CIRT. Thirty of the 31 incidents reported to FedCIRC were reported by\nUSPTO and 677 of the 679 incidents reported to DOC CIRT were reported by NOAA.\n\nAlthough NOAA accounts for nearly all of the incidents reported to DOC CIRT, we found the\narrangement agreed to by the Department for NOAA\xe2\x80\x99s reporting problematic. The Department\xe2\x80\x99s\npolicy requires preliminary reporting to DOC CIRT as soon as possible but no later than 24\nhours after an incident is discovered; detailed reporting is required within 5 working days of the\npreliminary report. However, rather than sending specific incident reports, NOAA is permitted\nto provide DOC CIRT access to its incident database. As a result, DOC CIRT personnel are not\nexplicitly notified of NOAA\xe2\x80\x99s incidents. Additionally, our interviews revealed that DOC CIRT\npersonnel are not assessing the information available in NOAA\xe2\x80\x99s incident database. NOAA\nshould be required to notify DOC CIRT when an incident occurs, and DOC CIRT should assess\nthe incident information in NOAA\xe2\x80\x99s database.\n\nThe more than 70,000 incidents shown as detected by NIST and reported to FedCIRC in\nFY 2003 are actually raw data from NIST\xe2\x80\x99s network logs and sensors, which were given to\nFedCIRC for analysis under a special agreement. While providing this information to FedCIRC,\nNIST was not reporting specific incidents in accordance with Department policy. Therefore, the\ninformation on incidents shown as detected and reported for NIST in the Department\xe2\x80\x99s FY 2003\nFISMA report is neither meaningful nor correct. NIST officials told us that they no longer send\ntheir log and sensor data to FedCIRC and are now providing specific incident reports to both\nFedCIRC and DOC CIRT. They also told us that in FY 2003, NIST had only one reportable\nincident, but stated they consider an incident reportable only when a compromise occurs, an\ninterpretation not consistent with the Department\xe2\x80\x99s policy, as discussed later in this finding.\n\n\n\n\n                                                 12\n\x0cU.S. Department of Commerce                                                           Final Inspection Report OSE-16522\nOffice Of Inspector General                                                                               September 2004\n\n\n\n\n       Table 2. Incidents Reported by Operating Unit in FY 2003 According to\n       Department FISMA Reporting and DOC CIRT Records\n\n                                                                   Number of\n                                     Number of                Incidents Reported                 Number of\n                                Incidents Detected,               to FedCIRC,               Incidents Reported\n                                  As Reported in                As Reported in                 to DOC CIRT,\n                                 Department\xe2\x80\x99s 2003            Department\xe2\x80\x99s 2003                According to\n           Operating Unit          FISMA Report                  FISMA Report                 DOC CIRT Data\n                                     Operating Units Without Formal CIRTs\n       BIS                                  2                             2                             1\n       EDA                                  0                             0                             1\n       ESA                                  1                             0                             0\n       ITA                                  2                             0                             1\n       MBDA                                 0                             0                             0\n             a,b\n       OS                                   5                             0                             5\n       TA                                   0                             0                             0\n       Total:                              10                             2                             8\n                                       Operating Units with Formal CIRTs\n       BEA                                  2                             0                             0\n       Census                              31                             0                             0\n                                                    c                             c\n       NIST                             72,520                        70,952                            0\n                                                                                                            d\n       NOAA                                677                            0                           677\n       NTIA                                 5                             1                             2\n       NTIS                                 0                             0                             0\n       USPTO                               94                            30                             0\n                                                e                             e\n       Total:                             809                            31                           679\n       a\n         OS reporting includes OIG.\n       b\n         DOC CIRT resides in OS.\n       c\n         NIST used network log and sensor information to determine this number. However, NIST officials later told us\n       that NIST had no reportable incidents according to definition in Department policy.\n       d\n         NOAA provided DOC CIRT access to its incident database to obtain preliminary and detailed information\n       concerning computer incidents.\n       e\n         NIST not included in total. (See note c.)\n\n\n\n\n                                                             13\n\x0cU.S. Department of Commerce                                                         Final Inspection Report OSE-16522\n\nOffice Of Inspector General                                                                             September 2004\n\n\n\nIncident reporting is not a problem experienced only by Commerce. In its FY 2003 FISMA\nreport to Congress, OMB noted that the federal government\xe2\x80\x99s incident prevention and\nmanagement capabilities must be improved, including increased information sharing to rapidly\nidentify and respond to cyber threats and critical vulnerabilities. OMB stated that it has a\ncontinuing concern regarding the timeliness and accuracy of incident reporting by agencies.\nOMB pointed out that less than full reporting makes trend analysis difficult and diminishes the\nability to correlate ongoing attacks. 8\n                                                                                        We found that one reason for\n             Department\xe2\x80\x99s Definition of Reportable IT Security Incident\n                                                                                        inadequate reporting is that some\n    The Department\xe2\x80\x99s policy defines a reportable incident as any act that violates an   operating units are unfamiliar with\n    explicit or implied security policy within the Department or its operating units.\n    It further states that an incident is any adverse event that threatens the security the Department\xe2\x80\x99s reporting\n    of information resources. The policy states that incidents may include but are      requirements, and the Department\n    not limited to the events described below.\n                                                                                        has not enforced them. As shown in\n  Event                             Description                                         the box, the Department\xe2\x80\x99s policy\n  Compromise of integrity           A virus infects a system or network.                defines reportable incidents, and\n  Denial of service attack          An attacker has disabled a system or a network\n                                                                                        does not limit them to events\n                                    worm has used all available network bandwidth.      involving significant compromise.\n  Loss of accountability/           An intruder or insider uses an account or a system\n                                                                                        The Department\xe2\x80\x99s definition is the\n  misuse                            for unauthorized or illegal purposes.               same as that of FedCIRC.\n  Damage to any part of the         A virus or disgruntled employee destroys data.\n                                                                                        Nonetheless, several of the CIRT\n  system                                                                                representatives we interviewed stated\n  Compromise of                     An unauthorized outsider gains access to your IT\n                                                                                        they were required to report only\n  confidentiality/intrusion         resources.                                          incidents resulting in significant\n                                                                                        compromise. In addition, officials\n  Source: IT Security Program Policy and Minimum Implementation Standards,\n  U.S. Department of Commerce, January 24, 2003.                                        from two CIRTs told us they were\n                                                                                        not aware of the requirement to\nprovide DOC CIRT with an informational copy of incidents that were reported to FedCIRC.\nContributing to the reluctance of operating units to report incidents to DOC CIRT is the lack of a\nsecure means of communications. The Department CIO needs to ensure that all operating units\nunderstand the reporting requirements, that a secure means of communications is made available,\nand a process is put in place for enforcing the requirement for all operating units to identify,\ntrack, and report incidents. Table 2 shows that few incidents were detected in most operating\nunits. As discussed in finding V, we believe that weaknesses in unit incident detection\napproaches is one reason for this.\n\n\n\n\n8\n Office of Management and Budget, FY2003 Report to Congress on Federal Government Information Security\nManagement, March 1, 2004.\n\n\n                                                             14\n\x0cU.S. Department of Commerce                                     Final Inspection Report OSE-16522\nOffice Of Inspector General                                                         September 2004\n\n\nRecommendations\n\nThe Department CIO should ensure the following:\n\n1.\t A formal process is developed to promptly notify DOC CIRT and FedCIRC when an incident\n    occurs, and all operating units and DOC CIRT understand and comply with the Department\xe2\x80\x99s\n    policy and process for reporting security incidents.\n\n2.\t A plan and schedule are developed for implementing an infrastructure for secure\n    communication among the operating units and DOC CIRT.\n\n\n\n\n                                              15\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16522\nOffice Of Inspector General                                                            September 2004\n\n\nIV. \t System Administrators and IT Security Officers Must Improve Their Intrusion\n      Detection Approaches and Obtain Additional Specialized Tools and Training\n\nAlthough incident detection can help prevent incidents or mitigate their effects, the necessary\nsteps to detect incidents frequently are not taken, including systematically reviewing logging\ninformation, preferably using automated tools. In addition, in order for the Department to build\nand maintain effective incident detection and response capabilities, greater attention must be\ngiven to ensuring that staff members responsible for these functions throughout Commerce\nreceive appropriate specialized training.\n\nA. Intrusion Detection Approach Is Inadequate\n\nAlthough an effective incident response capability is essential, preventing incidents or detecting\nthem before significant damage is done is clearly preferable. Prevention and detection can be\nfacilitated by installing intrusion detection systems and reviewing log information on a regular\nbasis. Our review identified weaknesses in the frequency and approach used to review log\ninformation from network devices. We found instances where log information was not\nreviewed, infrequently reviewed, or reviewed only on a monthly basis. We also found instances\nof log reviews where large quantities of information were examined using visual inspection as\nopposed to automated log reviews. Because of the large volume of information to be reviewed,\nthis type of inspection approach can be extremely tedious, error prone, and ineffective in\ndetecting malicious activity. We believe that poor incident detection is one reason for few\nincidents being identified by most operating units, as was shown in table 2.\n\nThe Department\xe2\x80\x99s IT security program policy requires that log information from perimeter\nintrusion detection systems be reviewed on a daily basis, and medium and high criticality servers\non internal protected networks be reviewed on a weekly basis. It also requires that host-based\nintrusion detection systems be reviewed, although it does not specify how often. Frequent\nreview of log information is essential in detecting malicious behavior. NIST guidance notes that\norganizations may receive thousands or millions of possible signs of incidents each day, recorded\nmainly by logging and computer security software and that automation is needed to perform an\ninitial analysis of the data and select events of interest for human review. The guidance points\nout that event correlation software and centralized logging can be of great value in automating\nthe analysis process, but that the effectiveness of the process depends on the quality of the data\nthat goes into it. Thus, every operating unit needs to establish logging standards and procedures\nto ensure that adequate information is collected by logs and security software and that the data is\nreviewed according to the Department\xe2\x80\x99s policy. The Department CIO\xe2\x80\x99s office, in cooperation\nwith the operating units, should evaluate the use of automated tools and data reduction\ntechniques to increase log review efficiency and effectiveness in detecting malicious behavior,\nand consider the purchase of Department-wide licenses for such tools.\n\nB. Additional Specialized Training Is Needed\n\nUnder the Department\xe2\x80\x99s policy, operating units must identify positions that require specialized\ntraining, as well as the specific requirements of that training. As we reported in our FY 2003\nFISMA independent evaluation, progress in this area has been limited. We noted that training\n\n\n                                                16\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16522\nOffice Of Inspector General                                                            September 2004\n\n\nfor personnel with significant information security responsibilities, such as system administrators\nand IT security officers, appeared to be inconsistent and incomplete at the units we reviewed. In\nthis review of incident response, we found a similar problem of incomplete and inconsistent\ntraining at the various operating units. Overall, we found that units had not identified training\nrequirements for system administrators, network administrators, IT security officers, and IT\nsecurity staff who are responsible for responding to incidents and reviewing audit log\ninformation from network devices. Although some specialized security training in these areas is\nprovided, it is not systematic and does not ensure that staff members have the requisite\nknowledge and skills. Some operating unit officials attributed inadequate training to limited\nresources. The Department CIO, in conjunction with the operating units, needs to determine the\nrequirements for specialized training in incident prevention, detection, and response and ensure\nthat staff members responsible for these functions receive sufficient training, including periodic\nrefresher training to keep abreast of ongoing changes to threats, vulnerabilities, and security\nmeasures.\n\nRecommendations\n\nThe Department CIO should ensure the following:\n\n1.\t Each operating unit follows the Department\xe2\x80\x99s policy for reviewing network device log\n    information. This could be done, for example, by developing and requiring the\n    implementation of a formal process for reviewing network device log information that\n        a.\t Identifies the information to be analyzed and review procedures to be performed,\n        b.\t Requires documentation of review findings, and\n        c.\t Ensures that all operating unit IT security officers oversee the log review and evaluate\n            the logs for actions performed by system administrators.\n\n2.\t Available tools for automating audit log reviews are assessed and operating units implement\n    those that are most appropriate. Consider purchase of a Department-wide license for\n    appropriate tools.\n\n3.\t Training requirements are defined and appropriate training is implemented for all IT staff\n    with incident prevention, detection, and response duties, including periodic refresher training.\n\n\n\n\n                                                17\n\x0c\x0cAttachment\n\n\n                 Commerce Chief Information Officer Comments on\n                        Draft Inspection Report No. OSE-16522\nManagement Attention Is Needed to Assure Adequate Computer Incident Response Capability\n\nFinding I. \t   The Department\xe2\x80\x99s Distributed Incident Response Structure Is Appropriate,\n               but the Planned Coordination Mechanism Has Not Been Implemented\nRecommendation: The Department CIO should develop a plan and schedule for defining and\nimplementing an approach for achieving the goals presented in the CIRT focus group white\npaper.\nCorrective Actions Planned/In Place:\nThe focus group that created the white paper will be re-convened as an Incident Handling\nManagement Task Force no later than the end of September 2004, and will be charged with\nadvising on revised policy, Department-wide procedures, and overall implementation, with an\naggressive schedule, with full implementation scheduled for no later than June 2005.\n\n\nFinding II. \t Some Commerce Operating Units Lack Adequate Incident Response\n              Procedures and Most Lack the Required Reviews and Approvals\nRecommendations: The Department CIO should ensure the following:\n1. \t A plan and schedule is prepared for developing incident response procedures in accordance\n     with NIST Special Publication 800-61 for use by all operating units.\n2. \t Any modifications made by an operating unit to the Department\xe2\x80\x99s incident response\n     procedures are reviewed and approved by the unit\xe2\x80\x99s CIO and the Department\xe2\x80\x99s IT security\n     manager and critical infrastructure program manager.\n3. \t The Department\xe2\x80\x99s IT security policy reflects the changes to how incident response\n     procedures will be developed and reviewed and any associated guidance is consistent with\n     the policy.\nCorrective Actions Planned/In Place:\n1. \t The Department\xe2\x80\x99s FY 2004 IT Security Compliance Review Program includes review of\n     operating unit policies and procedures for consistency with NIST SP 800-61. This effort is\n     underway and on track for completion by September 30, 2004. Based in part on the results\n     of this review and with the involvement of the task force, appropriate updates will be made to\n     the Commerce IT Security Program Policy and Minimum Implementation by November\n     2004, and a Department \xe2\x80\x9cmodel CIRT procedures\xe2\x80\x9d document will be issued as guidance for\n     Commerce operating units no later than January 2005.\n2. \t Once the Department \xe2\x80\x9cmodel CIRT procedures\xe2\x80\x9d are established, the operating units will have\n     the opportunity to develop or revise their CIRT operating procedures so they are consistent\n     with these model procedures. The revised IT Security policy will require that any operating\n     unit procedures that are not consistent with the model Department procedures be reviewed\n     and approved by the operating unit CIO and the Department\xe2\x80\x99s IT security Program manager\n     and, as appropriate, by the Department\xe2\x80\x99s Critical Infrastructure Program Manager.\n3. \t The revised policy and model CIRT procedures and any associated guidance will be\n     developed so as to be mutually consistent.\n                                                2\n\x0cAttachment\n\n\n\nFinding III.\t Operating Units\xe2\x80\x99 Incident Reporting Is Incomplete and Inconsistent\nRecommendations: The Department CIO should ensure the following:\n1. \t A formal process is developed to promptly notify DOC CIRT and FedCIRC when an incident\n     occurs, and all operating units and DOC CIRT understand and comply with the Department\xe2\x80\x99s\n     policy and process for reporting security incidents.\n2. \t A plan and schedule are developed for implementing an infrastructure for secure\n     communication among the operating units and DOC CIRT.\nCorrective Actions Planned/In Place:\n1. \t The revised policy and procedures will provide for prompt notification of incidents of the\n     Department CIRT oversight staff and of FedCIRC. A training session for all IT security\n     officers and CIRT personnel covering the CIRT-related IT Security policy and the\n     Department model procedures will be held in FY 2005, and implementation will be\n     monitored through the Department\xe2\x80\x99s annual Compliance Review Program.\n2. \t The task force will address secure communication requirements, and a secure\n     communications solution will be in place no later than April 2005.\n\n\nFinding IV. \t System Administrators and IT Security Officers Must Improve Their\n              Intrusion Detection Approaches and Obtain Additional Specialized Tools\n              and Training\nRecommendations: The Department CIO should ensure the following:\n1. \t Each operating unit follows the Department\xe2\x80\x99s policy for reviewing network device log\n     information. This could be done, for example, by developing and requiring the\n     implementation of a formal process for reviewing network device log information that\n       a. \t Identifies the information to be analyzed and review procedures to be performed,\n       b. \t Requires documentation of review findings, and\n       c. \t Ensures that all operating unit IT security officers oversee the log review and evaluate\n            the logs for actions performed by system administrators.\n2. \t Available tools for automating audit log reviews are assessed and operating units implement\n     those that are most appropriate. Consider purchase of a Department-wide license for\n     appropriate tools.\n3. \t Training requirements are defined and appropriate training is implemented for all IT staff\n     with incident prevention, detection, and response duties, including periodic refresher training.\nCorrective Actions Planned/In Place:\n1. \t Network device log information handling will be addressed in the revised policy and model\n     procedures, and appropriate tools will be selected and acquired to support this policy and\n     these procedures by March 2005. Compliance monitoring will include this effort.\n2. \t Available tools for automating audit log reviews will be assessed and operating units will\n     implement those that are most appropriate supported by the task force during the\n\n                                                 3\n\x0cAttachment\n\n\n   development of the model procedures, with implementation no later than June 2005.\n   Department-wide acquisition of these tools will be considered.\n3. \t Requirements for training for CIRT staff will be determined, both for the short term and for\n     periodic refresher training, with a training plan and schedule in place by March 2005.\n\n\n\n\n                                                4\n\n\x0c"